#!/bin/bash
#
# C  => 国家 Country
# ST => 省 State
# L  => 市 City
# O  => 机构 Organization
# OU => 部门 Organization Unit
# CN => 域名 Common Name (证书所请求的域名)

# 1. 生成CA私钥, 证书
openssl genrsa -out ca.key 2048

openssl req -x509 -new -nodes -key ca.key \
  -subj "/C=CN/ST=Beijing/L=Beijing/O=ezcloud/OU=ezcloud CA/CN=ezcloud.com" \
  -days 3650 -out ca.crt

# 2. 生成服务端私钥
openssl genrsa -out server.key 2048
openssl req -new -key server.key -subj "/C=CN/ST=Beijing/L=Beijing/O=ezcloud/OU=ezcloud server/CN=*.ezcloud.com" -out server.csr
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile <(printf "subjectAltName=DNS:*.ezcloud.com,DNS:ezcloud.com")  -out server.crt -days 3650

# 2. 生成client私钥
openssl genrsa -out client.key 2048
openssl req -new -key client.key -subj "/C=CN/ST=Beijing/L=Beijing/O=ezcloud/OU=ezcloud server/CN=*.ezcloud.com" -out client.csr
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile <(printf "subjectAltName=DNS:*.ezcloud.com,DNS:ezcloud.com")  -out client.crt -days 3650
# 组成证书链 [ca.crt]
cat ca.crt >> ./server.crt

## 3. 使用curl测试
## curl --trace trace.log -k --cacert ca.crt --cert client.crt --key client.key https://localhost:8080/